coheigea commented on code in PR #271: URL: https://github.com/apache/santuario-xml-security-java/pull/271#discussion_r1488890018
########## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFParamsImpl.java: ########## @@ -0,0 +1,198 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.utils.Constants; +import org.apache.xml.security.utils.ElementProxy; +import org.apache.xml.security.utils.EncryptionConstants; +import org.apache.xml.security.utils.XMLUtils; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +/** + * Class HKDFParamsImpl is an DOM representation of the HKDF Parameters. + */ +public class HKDFParamsImpl extends ElementProxy implements KDFParams { + + + /** + * Constructor creates a new HKDFParamsImpl instance. + * + * @param doc the Document in which to create the DOM tree + */ + public HKDFParamsImpl(Document doc) { + Review Comment: Remove blank line ########## src/test/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFTest.java: ########## @@ -0,0 +1,144 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + + +import org.apache.xml.security.binding.xmldsig.DigestMethodType; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.signature.XMLSignature; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; + +import javax.xml.crypto.dsig.DigestMethod; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static org.junit.jupiter.api.Assertions.*; + +/** + * The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) tests as defined + * in RFC 5869, Appendix A. Test Vectors + */ +class HKDFTest { + + @ParameterizedTest(name = "{index}. {0}") + @CsvSource({ + "'Rfc5869: Test Case 1','http://www.w3.org/2001/04/xmlenc#sha256'," + + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b," + + "000102030405060708090a0b0c,f0f1f2f3f4f5f6f7f8f9,42, " + + "077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5," + + "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", + "'Rfc5869: Test Case 2','http://www.w3.org/2001/04/xmlenc#sha256', " + + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f," + + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf," + + "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff," + + "82, " + + "06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244," + + "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87", + "'Rfc5869: Test Case 3','http://www.w3.org/2001/04/xmlenc#sha256', " + + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b," + + "''," + + "''," + + "42, " + + "19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04," + + "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8", + "'Rfc5869: Test Case 4','http://www.w3.org/2000/09/xmldsig#sha1', " + + "0b0b0b0b0b0b0b0b0b0b0b," + + "000102030405060708090a0b0c," + + "f0f1f2f3f4f5f6f7f8f9," + + "42, " + + "9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243," + + "085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896", + "'Rfc5869: Test Case 5','http://www.w3.org/2000/09/xmldsig#sha1', " + + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f," + + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf," + + "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff," + + "82, " + + "8adae09a2a307059478d309b26c4115a224cfaf6," + + "0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4", + "'Rfc5869: Test Case 6','http://www.w3.org/2000/09/xmldsig#sha1', " + + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b," + + "''," + + "''," + + "42, " + + "da8c8a73c7fa77288ec6f5e7c297786aa0d32d01," + + "0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918", + "'Rfc5869: Test Case 7','http://www.w3.org/2000/09/xmldsig#sha1', " + + "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c," + + "," + + "''," + + "42, " + + "2adccada18779e7c2077ad2eb19d3f3e731385dd," + + "2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48", + }) + void deriveKey(String name, String hash, String ikm, String salt, String info, int length, String prk, String okm) throws XMLSecurityException { + byte[] saltBytes = hexStringToByteArray(salt); + byte[] infoBytes = hexStringToByteArray(info); + byte[] ikmBytes = hexStringToByteArray(ikm); + + byte[] expectedPRK =hexStringToByteArray(prk); + byte[] expectedOKM =hexStringToByteArray(okm); + String hMacHashAlgorithmURI = getHMacHashForHashUri(hash); + HKDF hkdf = new HKDF(hMacHashAlgorithmURI, saltBytes); + byte[] extractedKey = hkdf.extractKey(ikmBytes); + byte[] derivedKey = hkdf.deriveKey(ikmBytes, infoBytes, 0, length); + + assertArrayEquals(expectedPRK, extractedKey); + assertArrayEquals(expectedOKM, derivedKey); + } + + + public static byte[] hexStringToByteArray(String value){ Review Comment: Why can't we use the method in XMLCIpherUtil that was added instead of this? ########## src/main/java/org/apache/xml/security/encryption/XMLCipherUtil.java: ########## @@ -302,4 +338,30 @@ public static ConcatKDFParams constructConcatKeyDerivationParameter(int keyBitLe kdp.setSuppPrivInfo(suppPrivInfo); return kdp; } + Review Comment: I guess we should add javadoc here to align with the concat static method? ########## src/main/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFParamsImpl.java: ########## @@ -0,0 +1,198 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * <p> + * http://www.apache.org/licenses/LICENSE-2.0 + * <p> + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.utils.Constants; +import org.apache.xml.security.utils.ElementProxy; +import org.apache.xml.security.utils.EncryptionConstants; +import org.apache.xml.security.utils.XMLUtils; +import org.w3c.dom.Document; +import org.w3c.dom.Element; + +/** + * Class HKDFParamsImpl is an DOM representation of the HKDF Parameters. + */ +public class HKDFParamsImpl extends ElementProxy implements KDFParams { + + + /** + * Constructor creates a new HKDFParamsImpl instance. + * + * @param doc the Document in which to create the DOM tree + */ + public HKDFParamsImpl(Document doc) { + + super(doc); + } + + /** + * Constructor HKDFParamsImpl from existing XML element + * + * @param element the element to use as source + * @param baseURI the URI of the resource where the XML instance was stored + * @throws XMLSecurityException if the construction fails for any reason + */ + public HKDFParamsImpl(Element element, String baseURI) throws XMLSecurityException { + super(element, baseURI); + } + + /** + * Sets the <code>DigestMethod</code> Element + * + * @param hmacHashAlgorithm is the digest method URI value. + */ + public void setPRFAlgorithm(String hmacHashAlgorithm) { + Element targetElement = + XMLUtils.selectNode(getElement().getFirstChild(), getBaseNamespace(), EncryptionConstants._TAG_PRF, 0); + Review Comment: Remove blank lines ########## src/test/java/org/apache/xml/security/encryption/keys/content/derivedKey/HKDFTest.java: ########## @@ -0,0 +1,144 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.xml.security.encryption.keys.content.derivedKey; + + +import org.apache.xml.security.binding.xmldsig.DigestMethodType; +import org.apache.xml.security.exceptions.XMLSecurityException; +import org.apache.xml.security.signature.XMLSignature; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.CsvSource; + +import javax.xml.crypto.dsig.DigestMethod; +import java.security.InvalidKeyException; +import java.security.NoSuchAlgorithmException; + +import static org.junit.jupiter.api.Assertions.*; + +/** + * The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) tests as defined + * in RFC 5869, Appendix A. Test Vectors + */ +class HKDFTest { + + @ParameterizedTest(name = "{index}. {0}") + @CsvSource({ + "'Rfc5869: Test Case 1','http://www.w3.org/2001/04/xmlenc#sha256'," + + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b," + + "000102030405060708090a0b0c,f0f1f2f3f4f5f6f7f8f9,42, " + + "077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5," + + "3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865", + "'Rfc5869: Test Case 2','http://www.w3.org/2001/04/xmlenc#sha256', " + + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f," + + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf," + + "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff," + + "82, " + + "06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244," + + "b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87", + "'Rfc5869: Test Case 3','http://www.w3.org/2001/04/xmlenc#sha256', " + + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b," + + "''," + + "''," + + "42, " + + "19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04," + + "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8", + "'Rfc5869: Test Case 4','http://www.w3.org/2000/09/xmldsig#sha1', " + + "0b0b0b0b0b0b0b0b0b0b0b," + + "000102030405060708090a0b0c," + + "f0f1f2f3f4f5f6f7f8f9," + + "42, " + + "9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243," + + "085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896", + "'Rfc5869: Test Case 5','http://www.w3.org/2000/09/xmldsig#sha1', " + + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f," + + "606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf," + + "b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff," + + "82, " + + "8adae09a2a307059478d309b26c4115a224cfaf6," + + "0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4", + "'Rfc5869: Test Case 6','http://www.w3.org/2000/09/xmldsig#sha1', " + + "0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b," + + "''," + + "''," + + "42, " + + "da8c8a73c7fa77288ec6f5e7c297786aa0d32d01," + + "0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918", + "'Rfc5869: Test Case 7','http://www.w3.org/2000/09/xmldsig#sha1', " + + "0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c," + + "," + + "''," + + "42, " + + "2adccada18779e7c2077ad2eb19d3f3e731385dd," + + "2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48", + }) + void deriveKey(String name, String hash, String ikm, String salt, String info, int length, String prk, String okm) throws XMLSecurityException { + byte[] saltBytes = hexStringToByteArray(salt); + byte[] infoBytes = hexStringToByteArray(info); + byte[] ikmBytes = hexStringToByteArray(ikm); + + byte[] expectedPRK =hexStringToByteArray(prk); + byte[] expectedOKM =hexStringToByteArray(okm); Review Comment: Add space after the = sign -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
